Want to subscribe to topics you're interested in?
Become a Member

SSL Install SSL certificate on DigitalOcean VPS

Discussion in 'Domains, DNS, Email & SSL Certificates' started by dooma, Nov 6, 2016.

  1. eva2000

    eva2000 Administrator Staff Member

    45,468
    10,319
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,005
    Local Time:
    4:57 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    Yup need to update as per this post here
     
  2. dooma

    dooma Active Member

    303
    31
    28
    Oct 15, 2016
    Cairo
    Ratings:
    +44
    Local Time:
    8:57 PM
    Code (Text):
    # ls -lah ssl_trusted_certificate /usr/local/nginx/conf/ssl/domain.com/ssl-trusted.crt;
    ls: cannot access ssl_trusted_certificate: No such file or directory
    -rw-r--r-- 1 root root 4.1K Nov  9 02:07 /usr/local/nginx/conf/ssl/domain.com/ssl-trusted.crt
    
     
  3. eva2000

    eva2000 Administrator Staff Member

    45,468
    10,319
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,005
    Local Time:
    4:57 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    you post at SSL - Install SSL certificate on DigitalOcean VPS | Centmin Mod Community shows that it exists though ?
    Code (Text):
    ls /usr/local/nginx/conf/ssl/domain.com
    dhparam.pem                  ssl-trusted.crt             domain_com.crt
    hpkp-info-primary-pin.txt    ssl-unified.crt             domain.com.crt
    hpkp-info-secondary-pin.txt  domain.com-backup.csr  domainname.com.csr
    Server01.csr                 domainame-backup.key  domain.com.key
    Server01.key                 mydomainname_com.ca-bundle

    Should check with
    Code (Text):
    ls -lah /usr/local/nginx/conf/ssl/domain.com/ssl-trusted.crt
    
     
  4. dooma

    dooma Active Member

    303
    31
    28
    Oct 15, 2016
    Cairo
    Ratings:
    +44
    Local Time:
    8:57 PM
    Code (Text):
    ls -lah /usr/local/nginx/conf/ssl/domain.com/ssl-trusted.crt
    -rw-r--r-- 1 root root 4.1K Nov  9 02:07 /usr/local/nginx/conf/ssl/domain.com/ssl-trusted.crt
    
     
  5. eva2000

    eva2000 Administrator Staff Member

    45,468
    10,319
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,005
    Local Time:
    4:57 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    looks right just need to update as per this post here
     
  6. dooma

    dooma Active Member

    303
    31
    28
    Oct 15, 2016
    Cairo
    Ratings:
    +44
    Local Time:
    8:57 PM
    I'm sorry for re-asking you, what do you mean by changing the point to ssl-trusted.crt ?

    Thanks
     
  7. eva2000

    eva2000 Administrator Staff Member

    45,468
    10,319
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,005
    Local Time:
    4:57 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    in your domain.com.ssl.conf vhost file you have a line for
    ssl_trusted_certificate path pointing to a non existing crt file, change that path to /usr/local/nginx/conf/ssl/domain.com/ssl-trusted.crt
     
  8. dooma

    dooma Active Member

    303
    31
    28
    Oct 15, 2016
    Cairo
    Ratings:
    +44
    Local Time:
    8:57 PM
    Thanks a lot the nginx restarted successfully and the website is up now but the certificate still not running and when I go to https://mywebsite.com it gives me that connection is not private. When I checked nginx -t it gives me only 1 error which is :
    Code (Text):
    nginx: [warn] "ssl_stapling" ignored, issuer certificate not found
    
     
  9. eva2000

    eva2000 Administrator Staff Member

    45,468
    10,319
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,005
    Local Time:
    4:57 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    when you created ssl-unified.crt, was domain_com.crt provided by ssl provider ?
    Code (Text):
    cat domain_com.crt domain_com.ca-bundle > ssl-unified.crt
    

    run your site through ssl test SSL Server Test (Powered by Qualys SSL Labs) - you'd probably need to publicly reveal domain name to troubleshoot further as not private could mean mix-contented errors which is web app specific and you have to troubleshoot yourself

    mixed content errors How to fix a website with blocked mixed content - Web security | MDN
     
  10. eva2000

    eva2000 Administrator Staff Member

    45,468
    10,319
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,005
    Local Time:
    4:57 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    also post output for
    Code (Text):
    ls -lah /usr/local/nginx/conf/ssl/domain.com

    checking file sizes maybe you domain_com.crt is zero size as you didn't transfer it properly to server
     
  11. dooma

    dooma Active Member

    303
    31
    28
    Oct 15, 2016
    Cairo
    Ratings:
    +44
    Local Time:
    8:57 PM
    Yes, it was provided. I got an email containing 2 files :
    1-domain_com.ca-bundle

    2-domaiN_com.crt
     
  12. eva2000

    eva2000 Administrator Staff Member

    45,468
    10,319
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,005
    Local Time:
    4:57 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    make sure your domain.com.ssl.conf has
    Code (Text):
      # enable ocsp stapling
      resolver 8.8.8.8 8.8.4.4 valid=10m;
      resolver_timeout 10s;
      ssl_stapling on;
      ssl_stapling_verify on;
      ssl_trusted_certificate /usr/local/nginx/conf/ssl/mydomain.com/ssl-trusted.crt;

    for proper ocsp stapling outlined at
    Module ngx_http_ssl_module
     
  13. dooma

    dooma Active Member

    303
    31
    28
    Oct 15, 2016
    Cairo
    Ratings:
    +44
    Local Time:
    8:57 PM
    I checked the ocsp and its correct and thats the output :

    Code (Text):
    ls -lah /usr/local/nginx/conf/ssl/domain.com
    total 76K
    drwxr-xr-x 2 root root 4.0K Nov  8 00:34 .
    drwxr-xr-x 3 root root 4.0K Nov  3 02:55 ..
    -rw-r--r-- 1 root root  424 Nov  8 00:55 dhparam.pem
    -rw-r--r-- 1 root root   45 Nov  3 02:56 hpkp-info-primary-pin.txt
    -rw-r--r-- 1 root root   45 Nov  3 02:56 hpkp-info-secondary-pin.txt
    -rw-r--r-- 1 root root 1017 Nov  7 00:21 Server01.csr
    -rw-r--r-- 1 root root 1.7K Nov  7 00:21 Server01.key
    -rw-r--r-- 1 root root 4.1K Nov  9 02:07 ssl-trusted.crt
    -rw-r--r-- 1 root root 5.9K Nov  9 02:06 ssl-unified.crt
    -rw-r--r-- 1 root root 1.1K Nov  3 02:56 mydomain.com-backup.csr
    -rw-r--r-- 1 root root 1.7K Nov  3 02:56 mydomain.com-backup.key
    -rw-r--r-- 1 root root 4.1K Nov  8 00:29 mydomain_com.ca-bundle
    -rw-r--r-- 1 root root 1.9K Nov  8 00:31 mydomain_com.crt
    -rw-r--r-- 1 root root 1.3K Nov  3 02:56 mydomain.com.crt
    -rw-r--r-- 1 root root 1.1K Nov  3 02:56 mydomain.com.csr
    -rw-r--r-- 1 root root 1.7K Nov  3 02:56 mydomain.com.key
    
     
  14. eva2000

    eva2000 Administrator Staff Member

    45,468
    10,319
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,005
    Local Time:
    4:57 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    not much else i can do without ssllabs results as per SSL - Install SSL certificate on DigitalOcean VPS | Page 2 | Centmin Mod Community and knowing the actual domain name.

    When you create a new nginx vhost domain via centmin.sh menu option 2 or menu option 22 or via /usr/bin/nv cli command line, you will create the Nginx vhost files and directories. You will get an outputted the path location where it will create the domain name's vhost conf file named newdomain.com.conf (and newdomain.com.ssl.conf if you selected yes to self signed SSL)
    • Nginx vhost conf path will be at /usr/local/nginx/conf/conf.d/newdomain.com.conf
    • Nginx HTTP/2 SSL vhost conf path will be at /usr/local/nginx/conf/conf.d/newdomain.com.ssl.conf
    • Nginx Self-Signed SSL Certificate Directory at /usr/local/nginx/conf/ssl/newdomain.com
    • Vhost public web root will be at /home/nginx/domains/newdomain.com/public
    • Vhost log directory will be at /home/nginx/domains/newdomain.com/log
    Please re-post the contents of latest version of your /usr/local/nginx/conf/conf.d/newdomain.com.conf and if applicable /usr/local/nginx/conf/conf.d/newdomain.com.ssl.conf wrapped in CODE tags (outlined at How to use forum BBCODE code tags)
     
  15. dooma

    dooma Active Member

    303
    31
    28
    Oct 15, 2016
    Cairo
    Ratings:
    +44
    Local Time:
    8:57 PM
    Hi,

    I tried to make it again by concatenateing .crt and .ca-bundle files within the archive using following command: cat *mydomainname*.crt *mydomainname*.ca-bundle >> cert_chain.crt and then I removed the content of domain.com.crt and pasted the content of cert_chain.crt there and I changed the content of ssl-trusted.crt(as concatenated). Finally restarted my server but it failed and gets down. I think there's only one missing step to complete the installing of it so can you help me please. Here's some outputs that may be useful :

    Code (Text):
    nginx -t
    nginx: [emerg] SSL_CTX_use_PrivateKey_file("/usr/local/nginx/conf/ssl/domain.com/domain.com.key") failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)
    nginx: configuration file /usr/local/nginx/conf/nginx.conf test failed
    


    Code (Text):
    cat /usr/local/nginx/conf/conf.d/domain.com.ssl.conf
    # Centmin Mod Getting Started Guide
    # must read http://centminmod.com/getstarted.html
    # For SPDY SSL Setup
    # read http://centminmod.com/nginx_configure_https_ssl_spdy.html
    
    # redirect from www to non-www  forced SSL
    # uncomment, save file and restart Nginx to enable
    # if unsure use return 302 before using return 301
    # server {
    #       listen   80;
    #       server_name domain.com www.domain.com;
    #       return 302 https://$server_name$request_uri;
    # }
    
    server {
      listen 443 ssl http2;
      server_name domain.com www.domain.com;
    
      ssl_dhparam /usr/local/nginx/conf/ssl/domain.com/dhparam.pem;
      ssl_certificate      /usr/local/nginx/conf/ssl/domain.com/ssl-trusted.crt;
      ssl_certificate_key  /usr/local/nginx/conf/ssl/domain.com/domain.com.key;
      include /usr/local/nginx/conf/ssl_include.conf;
    
      http2_max_field_size 16k;
      http2_max_header_size 32k;
      # mozilla recommended
      ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA256:EECDH+ECDSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+SHA384:EECDH+AES128:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!CAMELLIA;
      ssl_prefer_server_ciphers   on;
      #add_header Alternate-Protocol  443:npn-spdy/3;
    
      # before enabling HSTS line below read centminmod.com/nginx_domain_dns_setup.html#hsts
      add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
      #add_header X-Frame-Options SAMEORIGIN;
      #add_header X-Xss-Protection "1; mode=block" always;
      #add_header X-Content-Type-Options "nosniff" always;
      #spdy_headers_comp 5;
      ssl_buffer_size 1369;
      ssl_session_tickets on;
    
      # enable ocsp stapling
      resolver 8.8.8.8 8.8.4.4 valid=10m;
      resolver_timeout 10s;
      ssl_stapling on;
      ssl_stapling_verify on;
      #ssl_trusted_certificate /usr/local/nginx/conf/ssl/domain.com/ssl-trusted.crt;
    
    # ngx_pagespeed & ngx_pagespeed handler
    #include /usr/local/nginx/conf/pagespeed.conf;
    #include /usr/local/nginx/conf/pagespeedhandler.conf;
    #include /usr/local/nginx/conf/pagespeedstatslog.conf;
    
      # limit_conn limit_per_ip 16;
      # ssi  on;
    
      access_log /home/nginx/domains/domain.com/log/access.log main_ext buffer=256k flush=60m;
      error_log /home/nginx/domains/domain.com/log/error.log;
    
      include /usr/local/nginx/conf/autoprotect/domain.com/autoprotect-domain.com.conf;
      root /home/nginx/domains/domain.com/public;
      # uncomment cloudflare.conf include if using cloudflare for
      # server and/or vhost site
      #include /usr/local/nginx/conf/cloudflare.conf;
      include /usr/local/nginx/conf/503include-main.conf;
    
      # prevent access to ./directories and files
      #location ~ (?:^|/)\. {
      # deny all;
      #}
    
    
    location / {
               index index.php index.html index.htm;
                try_files $uri $uri/ /index.php?$uri&$args;
            }
    
    location /internal_data/ {
           internal;
            allow 127.0.0.1;
            #allow my ISP ip;
            deny all;
            }
    
            location /library/ {
            internal;
            allow 127.0.0.1;
            #allow my ISP ip;
            deny all;
            }
    
      include /usr/local/nginx/conf/staticfiles.conf;
      include /usr/local/nginx/conf/php.conf;
      include /usr/local/nginx/conf/drop.conf;
      #include /usr/local/nginx/conf/errorpage.conf;
      include /usr/local/nginx/conf/vts_server.conf;
    }
    
     
  16. dooma

    dooma Active Member

    303
    31
    28
    Oct 15, 2016
    Cairo
    Ratings:
    +44
    Local Time:
    8:57 PM
    Thanks I solved it and it's running ;)
     
  17. eva2000

    eva2000 Administrator Staff Member

    45,468
    10,319
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,005
    Local Time:
    4:57 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    You sure you got it working as this is incorrect
    Code (Text):
    ssl_certificate      /usr/local/nginx/conf/ssl/domain.com/ssl-trusted.crt;
    

    there's 3 paths ssl settings with 3 paths to each for ssl_certificate, ssl_certificate_key and ssl_trusted_certificate in domain.com.ssl.conf nginx HTTPS vhost as per Nginx SPDY SSL Configuration - CentminMod.com LEMP Nginx web stack for CentOS
    Code (Text):
      ssl_certificate      /usr/local/nginx/conf/ssl/domaincom/ssl-unified.crt;
      ssl_certificate_key /usr/local/nginx/conf/ssl/domain.com/domain.com.key;
    
      resolver 8.8.8.8 8.8.4.4 valid=10m;
      resolver_timeout 10s;
      ssl_stapling on;
      ssl_stapling_verify on;
      ssl_trusted_certificate /usr/local/nginx/conf/ssl/domain.com/ssl-trusted.crt;
    
     
  18. dooma

    dooma Active Member

    303
    31
    28
    Oct 15, 2016
    Cairo
    Ratings:
    +44
    Local Time:
    8:57 PM
    yes I resolved that and its working now :)
    Thanks a lot :)
    Much Appreciated :)
     
  19. eva2000

    eva2000 Administrator Staff Member

    45,468
    10,319
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,005
    Local Time:
    4:57 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    excellent.. fyi, good to write down your notes for future reference ;) :)
     
  20. dooma

    dooma Active Member

    303
    31
    28
    Oct 15, 2016
    Cairo
    Ratings:
    +44
    Local Time:
    8:57 PM
    1- There was a problem with paths.
    2- There was a mismatching between the certificate and the private key. check this matcher
    3- The DASHES of certificates were not copied well.

    Thanks :)